[04:14] <Zarathuztra|2> anyone around that can help out?
[04:44] <sarnold> with what?
[08:09] <lordievader> Good morning.
[09:04] <friendlyguy> good morning ;)
[09:08] <diytto> hi, i have my server set to only accept pubkey ssh connections, but my server seems to not be accpeting those connections for my user
[09:08] <diytto> i haven't changed anything with ssh configs, and i can still login as another user
[09:09] <diytto> however, this other user does not have sudo rights
[09:09] <diytto> any suggestions?
[09:09] <diytto> i am still open on an sftp connection with the server on the account i am lockedout of
[09:10] <friendlyguy> diytto: did you add your pubkey to authorized_keys?
[09:10] <diytto> yeah, i have had it in there since the beginning
[09:10] <diytto> i have always been able to log in with it
[09:11] <diytto> i haven't changed it in any way, yet am unable to log in
[09:11] <friendlyguy> kk, and you were able to connect with ssh via pubkey before? Or did you enter a password upon login?
[09:11] <diytto> i used pubkey previously
[09:11] <diytto> i have password disabled
[09:11] <friendlyguy> k
[09:11] <friendlyguy> did you change anything at all?
[09:11] <diytto> no
[09:12] <diytto> only thing i have done is copy the authorized keys to another user on the server
[09:12] <friendlyguy> have you tried to login to another host with this keypair? maybe something is broken
[09:12] <OpenTokix> diytto: what does ssh -vvvvv say?
[09:12] <diytto> i don't know how that would make a difference
[09:12] <diytto> same key works on another user
[09:13] <diytto> OpenTokix: i am getting nothing with that
[09:14] <diytto> it just tells me correct usage of ssh
[09:14] <friendlyguy> i think he ment to add verboooooose output to your connection
[09:14] <diytto> the exact same authorized keys works on a seperate account
[09:14] <diytto> ah okay hold on
[09:16] <friendlyguy> maybe you could also check your file permissions in ~/.ssh... should be 700 over the place
[09:16] <diytto> is there a paste tool you would prefer i use?
[09:17] <friendlyguy> i don't care, but maybe there are some "rules" in here for which pastebin to use
[09:17] <friendlyguy> ...f you want to show large texts, such as errors, use the pastebin and post the URL to the paste instead.... http://paste.ubuntu.com/
[09:17] <friendlyguy> from: https://wiki.ubuntu.com/IRC/Guidelines?action=show&redirect=IrcGuidelines
[09:17] <diytto> http://paste.ubuntu.com/11695170/
[09:18] <friendlyguy> did you checkt the permissions?
[09:19] <diytto> how do i check specific permissions
[09:19] <friendlyguy> ls -la ~/.ssh
[09:19] <OpenTokix> .ssh should be 700 and files in .ssh 600
[09:19] <OpenTokix> btw.
[09:19] <OpenTokix> and owned by your user and your personal group
[09:20] <diytto> everything looks fine
[09:20] <diytto> on my end
[09:21] <friendlyguy> this last "Permission denied (publickey)."...
[09:22] <diytto> server is fine with permissions too
[09:23] <diytto> i am able to edit my authorized_hosts
[09:23] <diytto> i have an sftp connection that was open previously before this issue
[09:24] <diytto> no cli access
[09:28] <friendlyguy> could you try to use the -i (together with -vvv) option of ssh, to point directly to the right keyfile?
[09:28] <davegarath> diytto: the file name for the public keys is authorized_keys, not authorized_hosts
[09:30] <diytto> davegarath: i am using the authorized_keys file, i am tired atm
[09:30] <diytto> friendlyguy: let me try
[09:32] <diytto> http://paste.ubuntu.com/11695216/
[09:36] <friendlyguy> r u using selinux?
[09:36] <diytto> no
[09:36] <friendlyguy> maybe you messed that up
[09:36] <diytto> i am on OS X, server is ubuntu
[09:36] <OpenTokix> diytto: debug1: Offering RSA public key: /Users/diytto/.ssh/diyttoaws.pem
[09:36] <OpenTokix> I am guessing that is the problem
[09:37] <OpenTokix> diytto: for the -i you have to provide the full path to the key, it will not select that name of key from your .ssh dir
[09:37] <diytto> OpenTokix: even if i am in the .ssh dir?
[09:37] <OpenTokix> I think so
[09:37] <friendlyguy> i just found one mac user with "slightly" the same problem:
[09:37] <friendlyguy> ...on my Mac, the file /etc/ssh_config had the line  PubkeyAuthentication = no   I commented out that one line, and now everything works fine....
[09:38] <OpenTokix> friendlyguy: that is not standard behaviour on the mac.
[09:38] <friendlyguy> kk
[09:38] <friendlyguy> I've got very little clue about macs
[09:39] <OpenTokix> diytto: but you might also want to check out your /etc/ssh_config
[09:39] <diytto> I've never had a problem with logging in before
[09:39] <OpenTokix> debug3: Could not load "id_rsa.pub" as a RSA1 public key
[09:39] <diytto> OpenTokix: i get the same thing with the full path
[09:39] <OpenTokix> diytto: ok, post the debug-output
[09:40] <friendlyguy> i though: "debug2: key: id_rsa.pub (0x7ff35b700140), explicit" is indicating the use of the keyfile
[09:40] <friendlyguy> maybe you could also show us some log output from the server
[09:41] <diytto> http://paste.ubuntu.com/11695243/
[09:41] <diytto> i can possibly
[09:41] <diytto> where is log info located
[09:41] <OpenTokix> debug3: Could not load "/Users/diytto/.ssh/id_rsa.pub" as a RSA1 public key
[09:41] <OpenTokix> There is your problem
[09:41] <OpenTokix> do a ls -l /Users/diytto/.ssh/id_rsa.pub
[09:42] <OpenTokix> oh
[09:42] <OpenTokix> haha
[09:42] <OpenTokix> now I get it
[09:42] <OpenTokix> =)
[09:42] <diytto> -rw-------+ 1 diytto  staff  402 Jul 18  2014 /Users/diytto/.ssh/id_rsa.pub
[09:42] <OpenTokix> You are trying to login with your public key
[09:42] <OpenTokix> ssh -i ~/.ssh/id_rsa diytto@de.diytto.com
[09:42] <OpenTokix> this will work
[09:42] <friendlyguy> ouch
[09:43] <OpenTokix> haha, - so easy to miss
[09:43] <diytto> still denied
[09:43] <OpenTokix> ok, now with -vvvv and see the output
[09:44] <diytto> http://paste.ubuntu.com/11695253/
[09:45] <OpenTokix> debug3: Could not load "/Users/diytto/.ssh/id_rsa" as a RSA1 public key
[09:45] <OpenTokix> file /Users/diytto/.ssh/id_rsa
[09:45] <OpenTokix> what does that command output?
[09:45] <OpenTokix> do _NOT_ paste your private key
[09:45] <diytto>      /Users/diytto/.ssh/id_rsa: ASCII text
[09:45] <OpenTokix> ok
[09:45] <OpenTokix> if you look into that file
[09:46] <diytto> also, this fails with a separate pubkey on my phone
[09:46] <OpenTokix> does it start with ----BEGIN RSA PRIVATE KEY----
[09:46] <diytto> if that's helpful
[09:46] <friendlyguy> whats still bugging me, he tols us he is able to login with this same key to another user
[09:46] <OpenTokix> and proc-type 4,encrypted - etc.
[09:46] <OpenTokix> friendlyguy: I am guessing the other user is with the aws-pem-file
[09:46] <diytto> OpenTokix: it does
[09:47] <OpenTokix> ls -l /Users/diytto/.ssh/id_rsa
[09:47] <OpenTokix> What does that output?
[09:48] <diytto> -rw-------+ 1 diytto  staff  1679 Jul 18  2014 /Users/diytto/.ssh/id_rsa
[09:48] <OpenTokix> looks correct
[09:49] <diytto> the aws one is for an amazon server
[09:49] <diytto> fyi
[09:49] <friendlyguy> guessed that ;)
[09:49] <diytto> it's not used here
[09:49] <OpenTokix> yes, I guessed that to
[09:49] <OpenTokix> and if you do the exact same command, just switchout user@
[09:49] <OpenTokix> it works?
[09:49] <diytto> my phone has it's own pubkey and is also unable to log in
[09:49] <diytto> yeah
[09:49] <OpenTokix> ie. ssh -i /Users/diytto/.ssh/id_rsa otheruser@sameserver ?
[09:49] <diytto> to sb1@de....
[09:50] <skylite> can I enable an apache module only for one vhost?
[09:50] <OpenTokix> skylite: no
[09:50] <skylite> never? :(
[09:50] <OpenTokix> skylite: but you can do the handler only for one vhost
[09:50] <OpenTokix> skylite: so it will be effectivly "hidden" for others
[09:50] <diytto> OpenTokix: that works fine
[09:51] <skylite> so I enable a module and hide it in all the other vhosts but one?
[09:51] <OpenTokix> skylite: no, you enable module and add the handler for that module only to the vhost that should have it
[09:51] <friendlyguy> hm... you could verify if your keypair is "cool"
[09:51] <OpenTokix> diytto: hmmm
[09:51] <friendlyguy> ssh-keygen -y -e -f <private key>
[09:51] <friendlyguy> and compare this to your pubkey
[09:52] <diytto> successful connection http://paste.ubuntu.com/11695290/
[09:52] <OpenTokix> diytto: im guessing there is something wrong on the serverside in the authorized_keys file, or its rights
[09:52] <OpenTokix> lunch now, *gone*
[09:52] <skylite> OpenTokix this is a quite simple module Is that gonna work the way you suggest? https://github.com/danghvu/mod_dumpost
[09:53] <diytto> friendlyguy: they appear to be identical
[09:54] <friendlyguy> weird weird
[09:56] <diytto> okay, i have shell access through my znc
[09:56] <diytto> so i can send commands
[10:00] <diytto> friendlyguy: only the last user i added to the server i am able to log in to
[10:03] <diytto> i am afraid i must go to sleep. it's 4am here. i will try to figure this out more in the morning
[10:03] <diytto> thank's for the help you've provided
[10:03] <friendlyguy> youre welcome
[10:03] <friendlyguy> gn8
[10:05] <friendlyguy> ist sdc denn wirklich "sdc"
[10:05] <friendlyguy> oh, sry... wrong window
[10:07] <friendlyguy> hmmm :) maybe one can help me to debug my server a little further... there is a "issue" which is driving me crazy. when i first start my server i can see the post until grub is supposed to start. -> thats when my monitor goes blank. IF i restart it (using ctrl-alt-del) i can watch the POST and grub appears
[10:08] <friendlyguy> AND, if i need to reboot again: i'll get a blank screen opposed to grub. hit ctrl-alt-del again, wait for the post stuff... and grub is there again
[10:08] <friendlyguy> precisely every 2nd "attempt"
[10:33] <OpenTokix> skylite: mod_audit already does that for you
[10:34] <skylite> OpenTokix thx I'll try that one ... already trying with mod_dumpio
[10:35] <OpenTokix> skylite: http://dev.prositen.com/wp/log-post-data-with-apache/ <--- there you have how mod_security does it.
[10:35] <skylite> thx a lot
[10:35] <OpenTokix> skylite: and then you add the Secrules in your vhosts
[10:36] <OpenTokix> skylite: my collegues site =)
[10:50] <skylite> OpenTokix great writing thx it works :)
[10:52] <OpenTokix> skylite: I forwarded your thanks to my collegue
[11:14] <rbasak> dannf: thanks for the memory corruption fix for MySQL. Any opinions on me pushing this to Debian too? I'm working on Debian mysql-5.6 right now.
[11:15]  * rbasak goes for a walk/lunch while stuff builds
[14:12] <dannf> rbasak: yeah, i'd definitely +1 applying it to debian
[14:12] <rbasak> dannf: OK, thanks!
[14:13] <dannf> rbasak: also, i'd like to get it sru'd back to trusty - should i just go ahead and upload backports?
[14:14] <rbasak> dannf: that's fine - go for it.
[15:01] <friendlyguy> anybody got some experience with zfs dedup? i'd like to turn on dedup for a relative small pool ~ 2t where I'm going to store vm backups. i read that dedup takes 1-2 gb ram per tb in pool, so here max 4gb. I've got 16gb ram sitting in this machine, so looks good to me. BUT, I read on the german ubuntu wiki to "NEVER" turn on dedup.
[15:09] <ogra_> kickinz1, my ownclöoud snappy install constantly pops up an upgrade warning, are you working on a 8.0.3 snap ? (or is anyone)
[15:28] <kickinz1> ogra_, no
[15:40] <ogra_> kickinz1, well, it would be nice to have that upgraded somehow ...
[16:10] <kickinz1> ogra_, yes planned around next week.
[16:10] <ogra_> kickinz1, awesome, thanks :)
[16:10] <ogra_> if you need a tester, just ping me :)
[16:11] <kickinz1> ogra_, Ok, I'll do!
[16:27] <squisher> rbasak, another look at bcache-tools please... someone already spotted a bug :)
[16:27] <squisher> it's again rather trivial changes
[16:30] <rbasak> squisher: that looks fine. Is that two separate fixes in one commit or are they related to the same issue?
[16:30] <rbasak> squisher: and does piuparts pass now?
[16:31] <squisher> rbasak, hm, yeah, they should probably be separate
[16:31] <squisher> I'll check piuparts, but I tested it in pbuilder
[16:31] <rbasak> squisher: "Fix dracut" isn't really helping me. Maybe describe what you're fixing and why?
[16:32] <rbasak> (well, clearly you're fixing "dracut", but I mean the actual problem you're fixing)
[16:32] <squisher> rbasak, hmm, I wonder how I can fix that now with the gbp workflow
[16:33] <rbasak> squisher: don't bother rebasing, it's not worth it. So just add extra commits fixing up the changelog for this time I guess.
[16:33] <squisher> rbasak, yeah, I agree. I should be more careful with my descriptions (basically dracut wasn't working at all before, I was just being lazy)
[16:58] <Gregor3000> why is the check disk failing and reports corrupted files? i tried 3 different USB image burners - 1. Unetbooting in windows, LinuxliveUSB in windows and startup disk creator in linux. every time checking of disk reported error. despite the fact that md5sum matches, i've tested also USB it has no errors in readin & writing.
[16:59] <squisher> rbasak, I'll have to fix that later. I don't really like the gbp changelog handling, but on the other hand I would like to automatically generate the changelog :-\
[16:59] <Gregor3000> i also can not proceed with installer - it stops at 33% when formating /. i have preexisting software RAID1 that holds /swap and /var/log /data
[17:00] <squisher> Gregor3000, the md5sum of the downloaded image I assume?
[17:00] <squisher> I'd run memtest over night
[17:02] <Gregor3000> correct - miniiso or server - it's not memorry as i cretaed and booted the image on different PC's
[17:06] <Gregor3000> in the end it said it can't even detect the image (eventhough it was botoing from it and running other programs on it)
[17:13] <Gregor3000> hwo do i report bug with installer? also when reporting it do i add pictures? or what?
[17:13] <Gregor3000> sorry how
[18:15] <diytto> Hi, I was here last night with my issue if anyone saw it. Basically my server has locked me out from ssh. It is refusing my pubkey auth on my account, even though I have used previously. I can access a different account on the same server with the exact same authorized_keys, but not my personal account. Any ideas?
[18:16] <diytto> My account has sudo access, while the account i am able to access does not
[18:20] <sarnold> diytto: check permissions on your ~/.ssh and ~/.ssh/* files
[18:20] <sarnold> diytto: the sshd is very picky about e.g. too-wide group write support or files owned by the wrong user
[18:20] <diytto> permissions are fine, we went over them last night
[18:21] <diytto> that was the first thing we went over last night :(
[18:21] <sarnold> hehe nice :)
[18:22] <sarnold> is there anything in the logs?
[18:23] <diytto> where can i find the logs on the server
[18:24] <lordievader> diytto: /var/log/ (from there you want auth.log and the syslog)
[18:24] <diytto> alright let me take a look
[18:25] <diytto> well this is a problem
[18:25] <diytto> i can't read the logs
[18:26] <sarnold> can you su, sudo, or login, to the account that can read the logs?
[18:27] <diytto> no
[18:27] <diytto> unless there is a way to login without sudo
[18:27] <lordievader> diytto: He means to your user account with sudo powers.
[18:27] <diytto> no, that is the account i am locked out of
[18:28] <lordievader> diytto: Your ssh is locked, not local login, right?
[18:28] <squisher> afaik ubuntu doesn't use wheel for su, right? So you should be able to su into your sudo-able account if you know your local password
[18:29] <diytto> just ssh is locked
[18:29] <squisher> diytto, that's probably what lordievader is talking about too :)
[18:29] <squisher> then you shouldn't have a problem :)
[18:29] <lordievader> Yes, su'ing into the 'locked' account.
[18:29] <diytto> ah okay
[18:30] <diytto> i wasn't aware i could do that
[18:30] <diytto> okay i am in
[18:30] <lordievader> diytto: Then read the logs.
[18:34] <diytto> it looks like permissions for my home directory are wrong?
[18:34] <squisher> I guess if your home dir is 777 then other people could change the perms of your ~/.ssh dir
[18:36] <diytto> i am the only one on the server
[18:36] <lordievader> Still, sshd doesn't like that.
[18:37] <squisher> hm, I may be wrong on that, but anyway, what lordievader said
[18:37] <lordievader> As sarnold said, sshd is very picky.
[18:37] <diytto> i never changed that though, and I've never had an issue logging in previously
[18:38] <diytto> home dir perms drwxr-xr-x  8 sb1  sb1   4096 Jun 11 01:55 diytto
[18:38] <squisher> diytto, that's not 777 - you should paste the error from the logs
[18:38] <diytto> drwx------  2 diytto diytto    4096 Jun 11 04:04 .ssh
[18:39] <sarnold> sb1 vs diytto??
[18:39] <diytto> oh wow i missed that
[18:40] <diytto> that fixed it
[18:40] <diytto> wow
[18:40] <diytto> i have no idea how that happened
[18:41] <squisher> `history | grep sb1` ;-)
[18:42] <diytto> thanks so much guys
[18:42] <diytto> i never would have found that issue
[18:42] <sarnold> all sorted?
[18:43] <diytto> yep, thanks
[18:44] <sarnold> sweet :)
[18:49] <shirgall> Hrm, the openssl update seems to have no changlog other than the Debian one.
[18:50] <sarnold> shirgall: what are you looking at? it should be quite extensive: https://launchpad.net/ubuntu/+source/openssl/+changelog
[18:51] <shirgall> This -> /usr/share/doc/openssl/changelog.gz has a link to ../libssl1.0.0/changelog.gz which is missing
[18:53] <shirgall> But, the main thing is that it looks like logjam vulnerability, fixed in 1.0.1n, is not yet integrated, that's what I was trying to determine.
[18:54] <sarnold> OH!
[18:54] <sarnold> I see,  you're actuyally talking about the changelog.gz file. feel free to ignore that. what you want is the changelog.Debian.gz file
[18:54] <shirgall> Yeah, it just surprised me that there was a dead link in openssl
[18:56] <shirgall> At any rate, i was looking for CVE-2015-4000 and didn't find it
[18:56] <friendlyguy> hmmm. quick question: i've installed htop, but i don't get any percentage numbers of core / ram usage
[18:58] <mdeslaur> shirgall: the CVE-2015-4000 is actually about the TLS flaw, I didn't use it in the openssl updates. WIth the last openssl update, the export ciphers were disabled, and today's update rejects shorter than 768 dh params.
[18:58] <mdeslaur> shirgall: do if you install today's openssl update, you're all set with the logjam mitigations
[18:58] <shirgall> mdeslaur: yeah, i poked in gnutls, but while I was looking around, I noticed the dead line
[18:58] <shirgall> link
[18:59] <shirgall> mdeslaur: ok, cool, thanks
[19:50] <friendlyguy> is there a way to install mate-core with gdm or lightdm on a ubuntu server? (without actually installing stuff like evolution-server and crap)
[19:52] <sarnold> friendlyguy: apt-get install the specific leaf packages you want, they ought to drag in whatever they need
[20:57] <mitfree> I have been using apt to update my 14.04 VPS and now my /boot is full. I've been unable to update. What is the right way to keep my /boot nice and clean?
[21:05] <hexch> mitfree: clean up boot
[21:05] <hexch> remove unused kernel.
[21:05] <RoyK> next time, use a larger /boot
[21:05] <RoyK> using 200 megs or so for /boot is nonsense
[21:06] <RoyK> and as hexch said, clean up old stuff
[21:06] <mitfree> https://img.bi/#/mOFiH0x!YtDlPwylaNEQyiyvgAwkhpoAUTBOpAGqgQlgXood
[21:06] <sarnold> RoyK: didn't you have a nice short command last time this came up, something that looked way simpler than my usual method?
[21:06] <RoyK> sometimes you can't remove old kernels easily because of a full filesystem - if so - "> whateverfileyouwanttotruncate" and start over
[21:07] <mitfree> The image is from cloud at cost, so I didn't choose the size. I'm also having trouble with /tmp
[21:07] <RoyK> sarnold: if you remove the file, apt will get angry - if you just truncate the file, it'll remove it easily
[21:08] <RoyK> sarnold: truncate the file with something like "> /boot/thatfile" and do apt-get purge "thatpackage"
[21:09] <mitfree> I posted the results of df -h
[21:09] <RoyK> mitfree: tune2fs -m 0 /dev/sda1
[21:09] <RoyK> mitfree: but remove the old kernels
[21:09] <sarnold> RoyK: I hadn't heard that about the truncation! that'll save a ton of effort :)
[21:10] <RoyK> sarnold: we all learn along :)
[21:11] <mitfree> what do you mean by truncate exactly? is that just changing the file name or actualy editing the file by deleting parts of it.
[21:11] <RoyK> mitfree: just removing its contents
[21:11] <RoyK> mitfree: setting filesize to zero
[21:12] <mitfree> intersting idea, I honestly hadn't thought of that.
[21:12] <RoyK> mitfree: just don't truncate the live kernel
[21:12] <_piggy_> Just did a new install of server 14.04. apt-get update says that kernel for utopic (not trusty) is being held back.  Any ideas?
[21:13] <_piggy_> uname -a shows 10.04
[21:13] <_piggy_> bah  14.04
[21:14] <_piggy_> Just tested on another 14.04 and it does not show utopic
[21:15] <RoyK> never had   that issue
[21:16] <_piggy_> Ya. Me neither.  Starnge
[21:16] <_piggy_> Strange that is.  One of those days...
[21:17] <tarpman> _piggy_: run apt-get update and check again. yesterday I had some kernels held back because the metapackages showed up in the archive before the actual kernels did, but all has been ok today
[21:17] <_piggy_> tarpman, will do   thanks.  BRB
[21:18] <tarpman> _piggy_: regarding utopic vs trusty, servers installed from 14.04 or 14.04.1 media will have the trusty (3.13) kernel, servers installed from 14.04.2 media will have the utopic (3.16) kernel
[21:20] <_piggy_> tarpman: That's the instll media I used.  Any idea for change?  Repositories show trusty too.
[21:20] <_piggy_> tarpman: I assume it will be ok to proceed then?
[21:21] <tarpman> _piggy_: I don't understand "Any idea for change?", sorry
[21:21] <tarpman> _piggy_: there's no need to downgrade unless something is broken, if that's what you mean
[21:22] <_piggy_> tarpman: Thanks.  You have been a good help. I will see if I can figure out why the kernel change happened.  Thanks!
[21:57] <shirgall> _piggy_: you can learn more about the kernel changes here: https://wiki.ubuntu.com/Kernel/LTSEnablementStack
[22:34] <_piggy_> shirgall:  Thanks.  Saw that not long ago.  Thanks for posting.